Data Processing Agreement

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Portal Worx Ltd, a company incorporated in England and Wales ("Processor", "we", "us"), and the organisation subscribing to the Portal Worx platform ("Controller", "you", "your").

This DPA applies to the processing of personal data by Portal Worx on behalf of the Controller in connection with the provision of the Service. It is designed to meet the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the Protection of Personal Information Act 4 of 2013 of South Africa (POPIA), the EU General Data Protection Regulation (GDPR) where applicable, and other applicable data protection laws.

By subscribing to the Service, you accept this DPA. If you are entering into this DPA on behalf of an organisation, you represent that you have the authority to bind that organisation.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws
• "Processing" means any operation performed on Personal Data, including collection, storage, modification, retrieval, use, disclosure, and deletion
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates
• "Sub-Processor" means a third-party service provider engaged by the Processor to process Personal Data on behalf of the Controller
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
• "Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection laws, including the Information Commissioner's Office (ICO) in the United Kingdom, the Information Regulator in South Africa, and EU supervisory authorities

3. Roles and Responsibilities

3.1 Controller

The Controller (your organisation) determines the purposes and means of processing Personal Data within the Service. As a Controller, you are responsible for:

• Ensuring that you have a lawful basis for processing Personal Data through the Service
• Providing appropriate privacy notices to your users (Data Subjects)
• Responding to data subject access requests from your users, using the platform's built-in tools where available
• Ensuring that Personal Data uploaded to the Service is accurate and, where necessary, kept up to date
• Configuring appropriate privacy and access controls within the platform

3.2 Processor

Portal Worx acts as a Processor, processing Personal Data only on behalf of and under the documented instructions of the Controller. As a Processor, we are responsible for:

• Processing Personal Data only in accordance with the Controller's documented instructions and the terms of this DPA
• Implementing appropriate technical and organisational security measures
• Assisting the Controller in fulfilling its obligations regarding data subject rights, data breach notification, and data protection impact assessments
• Ensuring that personnel authorised to process Personal Data are bound by confidentiality obligations
• Notifying the Controller without undue delay upon becoming aware of a Data Breach

4. Scope of Processing

4.1 Categories of Data Subjects

Personal Data processed through the Service may relate to the following categories of Data Subjects:

• The Controller's employees, contractors, and team members who use the platform
• Client users invited to the Controller's workspace
• Third parties whose personal data is uploaded to the platform by the Controller's users (e.g., in project documents or reports)

4.2 Categories of Personal Data

The following categories of Personal Data may be processed:

• Identity data: names, email addresses, job titles, phone numbers, locations, profile pictures
• Authentication data: password hashes, login history, IP addresses, user agents
• Professional data: company name, bio, organisational role
• Communication data: direct messages, document comments, notification preferences
• Project data: project names, descriptions, locations, uploaded documents, images, and reports (which may contain Personal Data)
• Activity data: audit logs, timestamps of user actions
• Billing data: subscription plan, billing history (payment card details are processed directly by Stripe and are not stored by Portal Worx)

4.3 Purpose and Nature of Processing

Personal Data is processed for the following purposes:

• Providing and maintaining the Service, including user authentication, project management, file storage, and team collaboration
• Sending platform notifications and email communications
• Processing payments and managing subscriptions (via Stripe)
• Security monitoring, audit logging, and fraud prevention
• AI-powered features (optional, project metadata only — no personal user data is sent to AI providers)
• Providing customer support

4.4 Duration of Processing

Personal Data will be processed for the duration of the Controller's subscription to the Service. Upon termination or expiry of the subscription, data will be retained and deleted in accordance with Section 10 of this DPA and our Privacy Policy.

5. Security Measures

The Processor implements the following technical and organisational measures to protect Personal Data, in accordance with GDPR Article 32, UK GDPR Article 32, and POPIA Section 19:

5.1 Technical Measures

• Encryption of data in transit using TLS/SSL
• Encryption of data at rest on AWS infrastructure
• Secure password hashing using PBKDF2 with high iteration counts
• HTTP-only, Secure, SameSite cookies for authentication tokens
• CSRF protection on all state-changing API endpoints
• Database-level tenant isolation using separate PostgreSQL schemas per organisation
• UUID-based file naming for data pseudonymisation
• Tenant-prefixed S3 storage paths for file-level isolation
• Time-limited signed URLs for file access (no direct public access)
• Account lockout after repeated failed authentication attempts
• Rate limiting on sensitive endpoints
• File upload validation with MIME type verification and executable file blocking
• Automated backup procedures with managed AWS RDS

5.2 Organisational Measures

• Comprehensive security audit logging with categorisation and severity tracking
• Role-based access control with a 4-tier permission hierarchy (Superadmin, Admin, User, Client)
• Configurable granular permissions (21+ permission types) with dependency cascading
• Self-protection controls (users cannot change their own role, deactivate themselves, or delete their own account)
• Last-superadmin protection (preventing removal of the only administrative account)
• Confidentiality obligations for all personnel with access to Personal Data

6. Sub-Processors

6.1 Authorised Sub-Processors

The Controller authorises the use of the following Sub-Processors. Each Sub-Processor processes data only for the specific purposes described:

6.2 Sub-Processor Obligations

Each Sub-Processor is bound by a written agreement that imposes data protection obligations no less protective than those in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-Processor's obligations.

6.3 Changes to Sub-Processors

The Processor will notify the Controller at least 30 days before engaging a new Sub-Processor or making material changes to existing Sub-Processor arrangements. Notification will be provided by updating this DPA and notifying the Controller by email.

The Controller may object to a new Sub-Processor on reasonable data protection grounds within 14 days of receiving notification. If the objection cannot be resolved, either party may terminate the affected Service component.

7. Data Subject Rights

The Processor will assist the Controller in fulfilling its obligations to respond to data subject requests, including:

• Access requests: The Controller can access and export user data through the platform's administrative features
• Rectification requests: Users can update their own profile information directly. Administrators can update user details through the platform
• Erasure requests: The platform provides built-in user anonymisation and deletion functionality. When a user is deleted, their personal data is anonymised (email replaced with a pseudonymous identifier, profile information cleared, profile pictures deleted from storage)
• Data portability: Reports can be exported as PDF files. Documents and images can be downloaded in bulk as ZIP archives
• Restriction and objection: The Controller can deactivate user accounts to restrict processing, or adjust user permissions to limit data access

The Processor will respond to Controller requests for assistance with data subject rights within a reasonable timeframe, and in any event within the timeframes required by applicable law.

8. Data Breach Notification

8.1 Notification to Controller

The Processor will notify the Controller without undue delay, and in any event within 48 hours, upon becoming aware of a Data Breach affecting the Controller's Personal Data. The notification will include:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's point of contact for further information
• A description of the likely consequences of the Data Breach
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects

8.2 Processor Obligations

Following a Data Breach, the Processor will:

• Take immediate steps to contain and remediate the breach
• Cooperate with the Controller in investigating the breach and notifying affected Data Subjects and supervisory authorities as required
• Document all Data Breaches, including facts, effects, and remedial actions taken
• Provide ongoing updates to the Controller as the investigation progresses

8.3 Controller Obligations

The Controller is responsible for notifying the relevant supervisory authority (within 72 hours under GDPR, or as soon as reasonably possible under POPIA) and affected Data Subjects where required. The Processor will provide reasonable assistance.

9. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction, including countries where our Sub-Processors operate.

Where Personal Data is transferred from the EEA, the UK, or South Africa to a country that has not been recognised as providing an adequate level of data protection, the Processor ensures that appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for transfers from the EEA, and the UK International Data Transfer Addendum for transfers from the UK
• POPIA Section 72 safeguards: Binding agreements with Sub-Processors that ensure an adequate level of protection for transfers from South Africa
• Sub-Processor commitments: All Sub-Processors maintain their own data protection certifications and compliance programmes (e.g., AWS GDPR Data Processing Addendum, Stripe's DPA, Cloudflare's DPA)

10. Data Retention and Deletion

10.1 During the Subscription

Personal Data is retained for the duration of the Controller's subscription. Deleted items (projects, documents, reports) are held in a 30-day trash recovery window before permanent deletion. User accounts can be deactivated or deleted by organisation administrators at any time.

10.2 Upon Termination

Upon termination of the subscription:

• The Controller's account will be placed in a read-only state, allowing data export
• If account deletion is requested, a 30-day grace period applies during which the deletion can be cancelled
• After the grace period, all Personal Data associated with the Controller's organisation will be permanently and irreversibly deleted, including all database records and files stored on AWS S3
• Certain data may be retained beyond deletion as required by law (e.g., billing records for 7 years for tax compliance, security audit logs for up to 365 days)

10.3 Anonymisation

When individual user accounts are deleted, their Personal Data is anonymised rather than simply removed. This includes replacing email addresses with pseudonymous identifiers, clearing profile information, deleting profile pictures from storage, and scrubbing personal data from email and activity logs. Audit trail records are preserved in an anonymised form for security and compliance purposes.

10.4 Direct Messages

Direct messages between users within an organisation are retained for the lifetime of the sending user's account. When that account is permanently deleted, every direct message body authored by the deleted user is overwritten in-place with a placeholder so the original content is no longer recoverable; recipients see a “Message removed” placeholder in place of the original content. Recipient copies of their own outgoing messages are retained as part of the recipient's own data — they are not deleted as a side-effect of the sender's account deletion.

Senders can also delete individual direct messages they sent at any time. This is a hard delete on both sides of the conversation — the message disappears from both the sender's and the recipient's view in real time. Recipients cannot delete messages sent by another user. Together these two mechanisms satisfy GDPR Article 17 (right to erasure) for the direct-message surface.

11. Audits and Compliance

The Processor will make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA. This includes:

• Providing documentation of security measures and data protection practices upon reasonable request
• Allowing the Controller to conduct audits or inspections, either directly or through a mandated auditor, subject to reasonable notice (at least 30 days) and scope limitations to protect the confidentiality and security of other customers' data
• Contributing to data protection impact assessments (DPIAs) where the Controller's processing is likely to result in a high risk to Data Subjects

Audits will be conducted at the Controller's expense and will not unreasonably interfere with the Processor's business operations. The Controller may exercise its audit rights no more than once per calendar year, unless required by a supervisory authority or in the event of a Data Breach.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of data protection law to the extent that such liability cannot be limited under applicable law.

13. Term and Termination

This DPA takes effect when the Controller subscribes to the Service and remains in force for the duration of the Processor's processing of Personal Data on behalf of the Controller. The obligations in this DPA that relate to the protection and deletion of Personal Data will survive termination.

14. Governing Law

This DPA is governed by the laws of England and Wales, without prejudice to the mandatory data protection laws applicable to the Controller in its jurisdiction (including the UK GDPR, EU GDPR, POPIA, or other applicable data protection laws). The courts of England and Wales shall have exclusive jurisdiction, save that nothing in this clause prevents either party from seeking injunctive or equivalent urgent relief in any competent court.

15. Changes to This Agreement

We may update this DPA from time to time to reflect changes in our processing activities, Sub-Processor arrangements, or applicable law. Material changes will be communicated to the Controller via email at least 30 days before taking effect.

16. Contact Us

For questions about this Data Processing Agreement or our data protection practices, please contact us:

• Privacy inquiries: privacy@portal-worx.com
• Legal inquiries: legal@portal-worx.com
• General support: support@portal-worx.com
• Website: portal-worx.com/contact